[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <s5h1s51120e.wl-tiwai@suse.de>
Date: Fri, 25 Jan 2019 11:10:25 +0100
From: Takashi Iwai <tiwai@...e.de>
To: Baolin Wang <baolin.wang@...aro.org>
Cc: Jaroslav Kysela <perex@...ex.cz>, Leo Yan <leo.yan@...aro.org>,
Mark Brown <broonie@...nel.org>, alsa-devel@...a-project.org,
Arnd Bergmann <arnd@...db.de>,
Kees Cook <keescook@...omium.org>, bgoswami@...eaurora.org,
sr@...x.de, gustavo@...eddedor.com,
Phil Burk <philburk@...gle.com>,
Matthew Wilcox <willy@...radead.org>,
mchehab+samsung@...nel.org, sboyd@...nel.org,
Vinod Koul <vkoul@...nel.org>,
Daniel Thompson <daniel.thompson@...aro.org>,
Mathieu Poirier <mathieu.poirier@...aro.org>,
Srinivas Kandagatla <srinivas.kandagatla@...aro.org>,
anna-maria@...utronix.de, Jon Corbet <corbet@....net>,
Jeffery Miller <jmiller@...erware.com>,
Charles Keepax <ckeepax@...nsource.wolfsonmicro.com>,
joe@...ches.com, Takashi Sakamoto <o-takashi@...amocchi.jp>,
colyli@...e.de, LKML <linux-kernel@...r.kernel.org>
Subject: Re: [RFC PATCH] ALSA: core: Add DMA share buffer support
On Fri, 25 Jan 2019 10:25:37 +0100,
Baolin Wang wrote:
>
> Hi Jaroslav,
> On Thu, 24 Jan 2019 at 21:43, Jaroslav Kysela <perex@...ex.cz> wrote:
> >
> > Dne 23.1.2019 v 13:46 Leo Yan napsal(a):
> > > Hi all,
> > >
> > > On Wed, Jan 23, 2019 at 12:58:51PM +0100, Takashi Iwai wrote:
> > >> On Tue, 22 Jan 2019 21:25:35 +0100,
> > >> Mark Brown wrote:
> > >>>
> > >>> On Mon, Jan 21, 2019 at 03:15:43PM +0100, Jaroslav Kysela wrote:
> > >>>> Dne 21.1.2019 v 13:40 Mark Brown napsal(a):
> > >>>
> > >>>>> It was the bit about adding more extended permission control that I was
> > >>>>> worried about there, not the initial O_APPEND bit. Indeed the O_APPEND
> > >>>>> bit sounds like it might also work from the base buffer sharing point of
> > >>>>> view, I have to confess I'd not heard of that feature before (it didn't
> > >>>>> come up in the discussion when Eric raised this in Prague).
> > >>>
> > >>>> With permissions, I meant to make possible to restrict the file
> > >>>> descriptor operations (ioctls) for the depending task (like access to
> > >>>> the DMA buffer, synchronize it for the non-coherent platforms and maybe
> > >>>> read/write the actual position, delay etc.). It should be relatively
> > >>>> easy to implement using the snd_pcm_file structure.
> > >>>
> > >>> Right, that's what I understood you to mean. If you want to have a
> > >>> policy saying "it's OK to export a PCM file descriptor if it's only got
> > >>> permissions X and Y" the security module is going to need to know about
> > >>> the mechanism for setting those permissions. With dma_buf that's all a
> > >>> bit easier as there's less new stuff, though I've no real idea how much
> > >>> of a big deal that actually is.
> > >>
> > >> There are many ways to implement such a thing, yeah. If we'd need an
> > >> implementation that is done solely in the sound driver layer, I can
> > >> imagine to introduce either a new ioctl or an open flag (like O_EXCL)
> > >> to specify the restricted sharing. That is, a kind of master / slave
> > >> model where only the master is allowed to manipulate the stream while
> > >> the slave can mmap, read/write and get status.
> > >
> > > In order to support EXCLUSIVE mode, it is necessary to convert the
> > > /dev/snd/ descriptor to an anon_inode:dmabuffer file descriptor.
> > > SELinux allows that file descriptor to be passed to the client. It can
> > > also be used by the AAudioService.
> >
> > Okay, so this is probably the only point which we should resolve for the
> > already available DMA buffer sharing in ALSA (the O_APPEND flag).
> >
> > I had another glance to your dma-buf implementation and I see many
> > things which might cause problems:
> >
> > - allow to call dma-buf ioctls only when the audio device is in specific
> > state (stream is not running)
>
> Right. Will fix.
>
> > - as Takashi mentioned, if we return another file-descriptor (dma-buf
> > export) to the user space and the server closes the main pcm
> > file-descriptor (the client does not) - the result will be a crash (dma
> > buffer will be freed, but referenced through the dma-buf interface)
>
> Yes, will fix.
There are a few more overlooked problems. A part of them was already
mentioned in my previous reply, but let me repeat:
- The racy ioctls have to be considered; you can perform this export
ioctl concurrently, and both of them write and mix up the setup,
which is obviously broken.
- The PCM buffer can be re-allocated on the fly. If the current
buffer is abandoned while exporting, it leads to the UAF.
- Similarly, what if the PCM stream that is attached is closed without
detaching itself? Or, what if the PCM stream attaches itself twice
without detaching?
- The driver may provide its own mmap method, and you can't hard-code
the mmap implementation as currently in snd_pcm_dmabuf_mmap().
I suppose you can drop of most of the code in snd_pcm_dmabuf_map(),
instead, assign PCM substream in obj, and call snd_pcm_mmap_data()
with the given VMA. If this really works, it manages the mmap
refcount, so the previous two issues should be covered there.
But it needs more consideration...
- What happens to the PCM buffer that has been allocated before
attaching, if it's not the pre-allocated one?
It should be released properly beforehand, otherwise leaks.
- There is no validation of the attached dma-buf pages; most drivers
set coherent DMA mask, and they rely on it. e.g. if a page over the
DMA mask is passed, it will break silently.
- Some drivers don't use the standard memory pages but keep their own
hardware buffer (e.g. rme96 or rm32 driver). This ioctl would be
completely broken on such hardware.
That is, we need some sanity check whether the PCM allows the
arbitrary dma-buf or not.
thanks,
Takashi
Powered by blists - more mailing lists